Posted on 12-09-2020 01:22 PM
I'm a new customer of Jamf Protect and have to keep my macs secure according to PCI compliance as well as CIS 20 and starting to move towards ISO 27001.
Does anyone have any good custom analytics that they've built for meeting compliance and best practices needs that didn't come prebuilt?
Posted on 12-15-2020 03:08 PM
Here are some of the custom analytics I have helped to build!
Command Line Account Creation
Sensor Type: GPProcessEvent
$event.type == 1 AND $event.process.name == "/usr/bin/dscl" AND $event.process.commandLine CONTAINS " -create "
Command Line Activity
(Warning: This is noisy!!)
Sensor Type: GPProcessEvent
$event.type == 1 AND $event.process.commandLine LIKE "*"
Curl Events
Sensor Type: GPProcessEvent
$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.curl"
DNSModification via hosts file
Sensor Type: GPFSEvent
$event.isModified == 1 AND $event.path ==[cd] "/private/etc/hosts"
Launch Daemon Deleted
Sensor Type: GPFSEvent
$event.type == 1 AND $event.path MATCHES[cd] "(:?/System)?/Library/LaunchDaemons/.*.plist"
Launchctl Event
Sensor Type: GPProcessEvent
$event.type == 1 AND $event.process.path == "/bin/launchctl"
Monitor Root User Creation
Sensor Type: GPFSEvent
$event.path MATCHES[cd] "/etc/passwd" AND (($event.isNewFile == 1 OR $event.isModified == 1)) AND FUNCTION($event.file, "newDelimitedEntries:comments:" , ".newlines", "#").@count > 0 AND FUNCTION($event.file, "newDelimitedEntries:comments:" , ".newlines", "#")[0] BEGINSWITH "root:"
Screen Sharing Activity
Sensor Type: GPProcessEvent
$event.type == 1 AND $event.process.name == "screensharingd"
Threat Prevention Quarantined
Sensor Type: GPFSEvent
$event.isNewFile == 1 AND $event.path MATCHES [c] "/Library/Application Support/JamfProtect/Quarantine/./."
Users Created
Sensor Type: GPFSEvent
$event.isNewDirectory == True AND $event.path.stringByDeletingLastPathComponent == "/Users"
Users Deleted
*Only detects the user home dir being deleted
Sensor Type: GPFSEvent
$event.type == 1 AND $event.path.stringByDeletingLastPathComponent == "/System/Volumes/Data/Users"
Jamf Pro Agent Removed (10.15 & above)
Sensor Type: GPFSEvent
$event.type == 1 AND $event.file.path == "/System/Volumes/Data/usr/local/jamf/bin/jamfAgent"
Applications Added
Sensor Type: GPFSEvent
$event.isNewDirectory == True AND $event.path.stringByDeletingLastPathComponent == "/Applications"
Files Downloaded from the Internet
Sensor Type: GPDownloadEvent
true == true
Unsigned Keylogger In Action
Sensor Type: GPKeylogRegisterEvent
( $event.source.signingInfo.signerType == 4 )
Launchctl Unloaded
Sensor Type: GPProcessEvent
( $event.type == 1 AND $event.process.path CONTAINS "/bin/launchctl" AND $event.process.args CONTAINS "unload" )
Posted on 01-14-2021 01:28 PM
Hey @Kelli.Conlin thanks for sharing your custom analytics! I've definitely taken note, any chance you have any analytics created for logging Firewall events?
Posted on 05-10-2021 01:26 PM
@Kelli.Conlin - Thank you! Great starting point. If anyone has tips for how to detect a specific process being killed, I'm all ears!